|Publication number||US6948062 B1|
|Application number||US 10/017,539|
|Publication date||Sep 20, 2005|
|Filing date||Dec 12, 2001|
|Priority date||Dec 12, 2001|
|Publication number||017539, 10017539, US 6948062 B1, US 6948062B1, US-B1-6948062, US6948062 B1, US6948062B1|
|Inventors||Edward O. Clapper|
|Original Assignee||Intel Corporation|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (4), Referenced by (27), Classifications (6), Legal Events (3)|
|External Links: USPTO, USPTO Assignment, Espacenet|
The invention generally relates to encryption, and more particularly to encryption and decryption based on location or position information.
There are many reasons why one might wish to encrypt information, and there are many known and unknown public and private key cryptosystems to perform the encrypting. However, except for requiring interaction with a data entry device at a particular location, such as entering a code on a keypad affixed to a building (e.g., an alarm keypad), current encryption techniques are location independent; it does not matter where encryption or decryption occurs, only that encryption and decryption devices have proper keys to perform encryption or decryption.
The features and advantages of the present invention will become apparent from the following detailed description of the present invention in which:
Illustrated are encryption 106 and decryption 108 devices (or services) which may be configured to encrypt and decrypt data in accord with various encryption techniques. As illustrated, the encryption/decryption devices are communicatively coupled with the GPS 102, and may be configured to operate with conventional encryption or decryption keys, or with keys that are determined with respect to waypoint data in the waypoint database 104, positioning information received from a track log 110, or a current-position 112 read-out for the GPS.
It will be appreciated that different embodiments may provide only some of the illustrated position determination features 104, 110, 112 to encryption/decryption devices. And, although the GPS 102 and encryption/decryption devices are illustrated separately, it will be appreciated they may be combined into a single device 114, or be implemented as software operating within a machine (see, e.g.,
It will appreciated by one skilled in the art that GPS functionality is described for exemplary purposes only, and other positioning technology, coordinate systems, or geodetic reference systems may be utilized. For example one may use the well-known Long Range Navigation (Loran) system, in which a receiver measures time differences between terrestrial radio transmissions to triangulate a receiver's position. In the claims that follow, the phrase “spatial location” corresponds to coordinates or other position-identifying data provided by such position determination technology.
Thus, as will become more clear with reference to the following figures, data can be encrypted such that decryption must occur at or near a particular location. For example, a decryption key may be determined with respect to the desired decryption location. It will be appreciated that various techniques may be used to prevent location spoofing. For example, if encryption or decryption is only to occur at or near a particular location, a clock 116 within or associated with the GPS may be used to ensure real-time position information is used when performing encryption or decryption. Note that the disclosed encryption techniques are also applicable to data authentication (signing), to allow, for example, indication that a particular party sent data or received data at a particular location.
If location decryption is required, then a current location is acquired 210. As discussed above for
Assuming a new key is required, a waypoint is selected 404 for the encryption. The selected waypoint represents the location or area in which a decryption device must be present in order for decryption to occur, and therefore it is used to select an encryption key. A test 406 is performed to determine whether an encryption location, e.g., the present location of the encryption device, or another location or waypoint, should also be used to select the encryption key. Use of the encryption location requires a recipient of encrypted data to know the encryption location in order to perform a decryption. Such a location may be known in advance to legitimate users of a decrypting device, and thus serve as additional security. Assuming the encryption location is used, an encryption key is therefore determined 408, 410 with respect to the encryption location and the selected waypoint. However, if the encryption location was not used, then encryption key is determined 410 with respect to the selected waypoint.
The identified data is then encrypted 412 with the determined encryption key. It will be appreciated that various cryptographic techniques may be applied to determine an encryption key that is reversible only when a decryption device is at (or, if desired, only near) the selected waypoint. Processing may then repeat with identifying 400 data to encrypt, and testing 402 whether a new key is required. If a new key is not required, processing jumps to encrypting 412 the data with the previous key.
The sender's encryption location is determined 504. As discussed above with respect to
A vector is then defined 506 with respect to the determined 504 encryption location and selected 500 waypoint. As used herein, the term vector is used in the mathematical sense, e.g., a mathematical representation of a direction and a magnitude, or distance between the encryption location and the waypoint. An encryption key is then determined 508 with respect to the defined vector. In one embodiment, the entire vector is used in determining the encryption key, e.g., as input to a key determination function; in an alternate embodiment, only a portion of the vector is used, possibly in conjunction with other data. It will be appreciated that although the illustrated embodiment utilizes a vector, an alternate embodiment may define a different relation between the encryption location and the waypoint, where this alternate relation is used at least in part to determine the encryption key. The data may then be encrypted 510.
The encrypted data may then be provided 512 to a recipient, e.g., via a wireless transfer, physical transfer, etc. Along with the encrypted data, the recipient receives 514 the waypoint selected by the sender, and the sender's encryption location. To further increase security, in one embodiment, instead of providing the recipient with waypoint position data, e.g., the GPS values corresponding to a particular physical location, instead only the name or symbol associated with the waypoint is provided to the recipient. In this embodiment, the recipient is therefore required to understand the reference to the waypoint and be able to retrieve the waypoint position data, e.g., the recipient is required to have access to a waypoint database cross-referencing provided name or symbol with position data, e.g., GPS values, for the waypoint.
The recipient then computes 516 a vector between the position data for the received waypoint and the sender's encryption location. In one embodiment, the recipient is provided with the position data for the sender's encryption location. In another embodiment, for added security, as with sending the selected 500 waypoint, the recipient may only be provided with a symbol or name corresponding to a waypoint for the sender's encryption location. The recipient then uses the vector to determine 518 a decryption key for decrypting the received data. In one embodiment, the entire vector is used in determining the decryption key, e.g., as input to a key determination function; in an alternate embodiment, only a portion of the vector is used, possibly in conjunction with other data. As discussed above, it will be appreciated that instead of a vector, other relationships between the encryption location and the selected waypoint may be used.
Once the decryption key is determined, it is then used to decrypt 520 data. As discussed above, successful decryption may be contingent on the decryption occurring at or near the selected waypoint. For example, creation or use of the decryption key may be restricted to a real-time operation occurring at or near the selected waypoint. Location determination may be performed arbitrarily precisely depending on location technology employed. For example, while GPS systems provide results accurate within a few yards, other technologies such as terrestrial-broadcast based systems, military systems, or the like, may provide precision within a few inches. In various embodiments, decryption and encryption may be conditioned on occurring at a precise location, and with precise location determination, such locations may be described with non-coordinate data, e.g., the “northwest corner” of a particular room, or at some position determined with respect to an address or a landmark. Such non-coordinate location information increases the burden on one seeking to intercept encoded data. In one embodiment, location information may be provided in advance such as by way of a telephone call, E-mail message, instant message, etc.
In one embodiment, in addition to determining encryption or decryption with respect to non-coordinate data, encryption or decryption may be determined with respect to an offset from a measured spatial point. For example, a pre-determined vector offset from an automatically measured spatial point may be used. Such offsets could be installed in sender/receiver or encoder/decoder systems to improve security. In one embodiment, a progressive offset database may be used, or offset values calculated in relation to time, date, etc. Such offsets may foil attempts at capturing location data or observing the whereabouts of an sender or receiver.
An exemplary environment for embodying, for example, the position locator/encryption/decryption device 114 of
The system may also include embedded controllers, such as Generic or Programmable Logic Devices or Arrays, Application Specific Integrated Circuits, single-chip computers, smart cards, or the like, and the system is expected to operate in a networked environment using physical and/or logical connections to one or more remote machines 614, 616 through a network interface 618, modem 620, or other data pathway. Machines may be interconnected by way of a wired or wireless network 622, such as the network 120 of
The invention may be described by reference to or in conjunction with program modules, including functions, procedures, data structures, application programs, etc. for performing tasks, or defining abstract data types or low-level hardware contexts. Program modules may be stored in memory 606 and/or storage devices 608 and associated storage media, e.g., hard-drives, floppy-disks, optical storage, magnetic cassettes, tapes, flash memory cards, memory sticks, digital video disks, biological storage. Program modules may be delivered over transmission environments, including network 622, in the form of packets, serial data, parallel data, propagated signals, etc. Program modules may be used in a compressed or encrypted format, and may be used in a distributed environment and stored in local and/or remote memory, for access by single and multi-processor machines, portable computers, handheld devices, e.g., Personal Digital Assistants (PDAs), cellular telephones, etc.
Thus, for example, with respect to the illustrated embodiments, assuming machine 600 operates as a first system 100 of
Having described and illustrated the principles of the invention with reference to illustrated embodiments, it will be recognized that the illustrated embodiments can be modified in arrangement and detail without departing from such principles. And, though the foregoing discussion has focused on particular embodiments, other configurations are contemplated. In particular, even though expressions such as “in one embodiment,” “in another embodiment,” or the like are used herein, these phrases are meant to generally reference embodiment possibilities, and are not intended to limit the invention to particular embodiment configurations. As used herein, these terms may reference the same or different embodiments that are combinable into other embodiments.
Consequently, in view of the wide variety of permutations to the embodiments described herein, this detailed description is intended to be illustrative only, and should not be taken as limiting the scope of the invention. What is claimed as the invention, therefore, is all such modifications as may come within the scope and spirit of the following claims and equivalents thereto.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US6125457 *||Dec 29, 1997||Sep 26, 2000||Compaq Computer Corporation||Networked computer security system|
|US6185678 *||Oct 2, 1998||Feb 6, 2001||Trustees Of The University Of Pennsylvania||Secure and reliable bootstrap architecture|
|US6272631 *||Jun 30, 1997||Aug 7, 2001||Microsoft Corporation||Protected storage of core data secrets|
|US6317777 *||Apr 26, 1999||Nov 13, 2001||Intel Corporation||Method for web based storage and retrieval of documents|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7266555||Dec 8, 2000||Sep 4, 2007||Intel Corporation||Methods and apparatus for accessing remote storage through use of a local device|
|US7266556||Dec 29, 2000||Sep 4, 2007||Intel Corporation||Failover architecture for a distributed storage system|
|US7281168||Dec 29, 2000||Oct 9, 2007||Intel Corporation||Failover architecture for local devices that access remote storage|
|US7428540||Oct 23, 2000||Sep 23, 2008||Intel Corporation||Network storage system|
|US7475248 *||Apr 29, 2002||Jan 6, 2009||International Business Machines Corporation||Enhanced message security|
|US7506034||Dec 29, 2000||Mar 17, 2009||Intel Corporation||Methods and apparatus for off loading content servers through direct file transfer from a storage center to an end-user|
|US7509645||Feb 13, 2003||Mar 24, 2009||Intel Corporation||Methods and apparatus for load balancing storage nodes in a distributed network attached storage system|
|US7512989 *||Oct 22, 2002||Mar 31, 2009||Geocodex Llc||Data loader using location identity to provide secure communication of data to recipient devices|
|US7590747||Jun 30, 2005||Sep 15, 2009||Intel Corporation||Distributed storage cluster architecture|
|US7660418||Oct 10, 2006||Feb 9, 2010||Geocodex Llc||Cryptographic system and method for geolocking and securing digital information|
|US7774325||Feb 13, 2003||Aug 10, 2010||Intel Corporation||Distributed network attached storage system|
|US7774466||Feb 13, 2003||Aug 10, 2010||Intel Corporation||Methods and apparatus for load balancing storage nodes in a distributed storage area network system|
|US7900052||Nov 6, 2003||Mar 1, 2011||International Business Machines Corporation||Confidential data sharing and anonymous entity resolution|
|US7962757 *||Mar 24, 2004||Jun 14, 2011||International Business Machines Corporation||Secure coordinate identification method, system and program|
|US8204831||Nov 13, 2006||Jun 19, 2012||International Business Machines Corporation||Post-anonymous fuzzy comparisons without the use of pre-anonymization variants|
|US8472627||Nov 20, 2006||Jun 25, 2013||Geocodex Llc||System and method for delivering encrypted information in a communication network using location indentity and key tables|
|US8972589 *||Feb 28, 2003||Mar 3, 2015||Enterasys Networks, Inc.||Location-based access control in a data network|
|US20010047400 *||Dec 29, 2000||Nov 29, 2001||Coates Joshua L.||Methods and apparatus for off loading content servers through direct file transfer from a storage center to an end-user|
|US20040078465 *||Feb 13, 2003||Apr 22, 2004||Coates Joshua L.||Methods and apparatus for load balancing storage nodes in a distributed stroage area network system|
|US20040078466 *||Feb 13, 2003||Apr 22, 2004||Coates Joshua L.||Methods and apparatus for load balancing storage nodes in a distributed network attached storage system|
|US20040078594 *||Oct 22, 2002||Apr 22, 2004||Logan Scott||Data loader using location identity to provide secure communication of data to recipient devices|
|US20040088297 *||Feb 13, 2003||May 6, 2004||Coates Joshua L.||Distributed network attached storage system|
|US20040190715 *||Feb 25, 2004||Sep 30, 2004||Fujitsu Limited||File security management method and file security management apparatus|
|US20050066182 *||Mar 24, 2004||Mar 24, 2005||Systems Research & Development||Secure coordinate identification method, system and program|
|US20050246393 *||Jun 30, 2005||Nov 3, 2005||Intel Corporation||Distributed storage cluster architecture|
|US20090165120 *||Sep 3, 2007||Jun 25, 2009||Continental Automotive Gmbh||Mobile Terminal for a Traffic Information System, and Method for Activating an Access Control Device in a Mobile Terminal|
|US20140132444 *||Nov 13, 2012||May 15, 2014||David G. Bird||GNSS Reference for Subscribed Precisions|
|U.S. Classification||713/162, 713/168|
|Cooperative Classification||H04L2209/80, H04L9/0872|
|Apr 22, 2002||AS||Assignment|
Owner name: INTEL CORPORATION, CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CLAPPER, EDWARD O.;REEL/FRAME:012851/0745
Effective date: 20020117
|Mar 11, 2009||FPAY||Fee payment|
Year of fee payment: 4
|Feb 20, 2013||FPAY||Fee payment|
Year of fee payment: 8